methods for the specification and verification of business...
Post on 04-Aug-2020
1 Views
Preview:
TRANSCRIPT
Methods for the specification and verification of business processes
MPB (6 cfu, 295AA)
Roberto Bruni http://www.di.unipi.it/~bruni
09 - Petri nets properties
1
Object
2
Free Choice Nets (book, optional reading) https://www7.in.tum.de/~esparza/bookfc.html
We give a formal account of some key properties of Petri nets
N `
Petri nets: behavioural properties
3
Properties of Petri nets
4
We describe, in an informal way, some of the properties of Petri nets that can play an important
role in the verification of business processes
Liveness Deadlock-freedom
Boundedness Cyclicity (also Reversibility)
Liveness
5
A transition t is live, if from any reachable marking M another marking M’ can be reached
where t is enabled
In other words, at any point in time of the computation, we cannot exclude that t will fire
in the future
A Petri net is live if all of its transitions are live
Liveness illustrated
6
M0
Liveness illustrated
6
M0 M
For any reachable marking M
Liveness illustrated
6
M0 M
Can we find a way to enable t?
For any reachable marking M
Liveness illustrated
6
M0 M
Can we find a way to enable t?
For any reachable marking M
M’
Liveness illustrated
6
M0 M
Can we find a way to enable t?
For any reachable marking M
M’t
Liveness, formally
7
(P, T, F,M0)
⌅t ⇤ T, ⌅M ⇤ [M0 ⌃, ⇧M � ⇤ [M ⌃, M � t�⇥
Liveness: pay attention!
8
Liveness should not be confused with the following property:
"starting from the initial marking M0 it is possible to reach a marking M that enables t"
(this property just ensures that t is not "dead" in M0)
Liveness: example
9
Which transitions are live? Which are not? Is the net live?
Marked place
11
Given a marking M
We say that a place p is marked (in M) if M(p) > 0
(i.e., there is a token in p in the marking M)
We say that p is unmarked if M(p) = 0
(i.e., there is no token in p in the marking M)
Live place, intuitively
12
A place p is live
if every time it becomes unmarked
there is still the possibility to be marked in the future
(or if it is always marked)
Live place
13
Definition: Let (P, T, F,M0) be a net system.
A place p � P is live if ⇥M � [M0 ⌅. ⇤M � � [M ⌅.M �(p) > 0
Place liveness
14
Definition:A net system (P, T, F,M0) is place-live if every place p � P is live
Liveness implies place-liveness
15
Proposition: Live systems are also place-live
Liveness implies place-liveness
15
Proposition: Live systems are also place-live
Take any p and any t ⇤ •p ⌅ p•
Let M ⇤ [M0 ⇧
By liveness: there is M �,M �� ⇤ [M ⇧ s.t. M � t�⇥ M ��
Then M �(p) > 0 or M ��(p) > 0
Dead nodes, intuitively
16
Given a marking M
A transition t is dead at M if t will never be enabled in the future
(i.e., t is not enabled in any marking reachable from M)
A place p is dead at M if p will never be marked in the future
(i.e., there is no token in p in any marking reachable from M)
Dead nodes
17
Definition: Let (P, T, F ) be a net system.
A transition t ⇤ T is dead at M if ⇧M � ⇤ [M ⌃.M � ⌅ t�⇥
A place p ⇤ P is dead at M if ⇧M � ⇤ [M ⌃.M �(p) = 0
Some obvious facts
18
If a system is not live, it must have a transition dead at some reachable marking
If a system is not place-live, it must have a place dead at some reachable marking
If a place / transition is dead at M, then it remains dead at any marking reachable from M
(the set of dead nodes can only increase during a run)
Every transition in the pre- or post-set of a dead place is also dead
Deadlock-freedom
19
A Petri net is deadlock free, if every reachable marking enables some transition
In other words, we are guaranteed that at any point in time of the computation, some
transition can be fired
Deadlock-freedom illustrated
20
M0
Deadlock-freedom illustrated
20
M0 M
For any reachable marking M
Deadlock-freedom illustrated
20
M0 M
Can we fire some transition?
For any reachable marking M
Deadlock-freedom illustrated
20
M0 M
Can we fire some transition?
For any reachable marking M
M’t
Deadlock freedom, formally
21
(P, T, F,M0)
⌅M ⇤ [M0 ⌃, ⇧t ⇤ T, Mt�⇥
Deadlock-freedom: example
22
Is the net deadlock-free?
Question time
24
Does liveness imply deadlock-freedom? (Can you exhibit a live Petri net that is not deadlock-free?)
Does deadlock-freedom imply liveness? (Can you exhibit a deadlock-free net that is not live?)
Liveness implies deadlock freedom
26
Lemma If (P, T, F,M0) is live, then it is deadlock-free
Liveness implies deadlock freedom
26
Lemma If (P, T, F,M0) is live, then it is deadlock-free
By contradiction, let M ⇤ [M0 ⌃, with M ⌅⇥
Let t ⇤ T (T cannot be empty).
By liveness, ⇧M � ⇤ [M ⌃ with M � t�⇥ .
Since M is dead, [M ⌃ = {M }.Therefore M = M � t�⇥, which is absurd.
Exercises
27
Prove each of the following properties or give some counterexamples
If a system is not place-live, then it is not live
If a system is not live, then it is not place-live
If a system is place-live, then it is deadlock-free
If a system is deadlock-free, then it is place-live
k-Boundedness
28
Let k be a natural number
A place p is k-bounded if no reachable marking has more than k tokens in place p
A net is k-bounded if all of its places are k-bounded
In other words, if a net is k-bounded, then k is a capacity constraint that can be imposed over places
without any risk of causing “overflow”
Safe nets
29
A place p is safe if it is 1-bounded
A net is safe if all of its places are safe
In other words, if the net is safe, then we know that, in any reachable marking, each place
contains one token at most
Boundedness
30
A place p is bounded if it is k-bounded for some natural number k
A net is bounded if all of its places are bounded
A net is unbounded if it is not bounded
Boundedness, formally
31
(P, T, F,M0)
⌅k ⇥ N, ⇤M ⇥ [M0 ⇧, ⇤p ⇥ P, M(p) � k
Boundedness: example
32
Which places are bounded? Is the net bounded?
Which places are safe? Is the net safe?
A puzzle about reachability
34
Theorem: If a system is... then its reachability graph is finite
Theorem: A system is... iff its reachability graph is finite
(fill the dots and the proofs)
A puzzle about boundedness
36
Theorem: If a system is k-bounded then any reachable marking contains a number of
tokens less than or equal to …
Theorem: If a system is safe then any reachable marking contains a number of
tokens less than or equal to …
(fill the dots and the proofs)
Cyclicity (aka Reversibility)
38
A marking M is a home marking if it can be reached from every reachable marking
A net is cyclic (or reversible) if its initial marking is a home marking
Orthogonal properties
39
Liveness, boundedness and cyclicity are independent of each other
In other words, you can find nets that satisfy any arbitrary combination of the above three properties
(and not the others)
Exercises
40
For each of the following nets, say if they are live, deadlock-free, bounded, safe, cyclic
Exercises
41
For each of the following nets, say if they are live, deadlock-free, bounded, safe, cyclic
Petri nets: structural properties
42
Structural properties
43
All the properties we have seen so far are behavioural (or dynamic)
(i.e. they depend on the initial marking and firing rules)
It is sometimes interesting to connect them to structural properties
(i.e. the shape of the graph representing the net)
This way we can give structural characterization of behavioural properties for a class of nets (computationally less expensive to check)
A matter of terminology
44
To better reflect the above distinction, it is frequent:
to use the term net system for denoting a Petri net with a given initial marking
(we study behavioural properties of systems)
to use the term net for denoting a Petri net without specifying any initial marking
(we study structural properties of nets)
Paths and circuits
45
A path of a net (P, T, F ) is a non-empty sequence x1x2...xk such that
(xi, xi+1) 2 F for every 1 i < k
(and we say that it leades from x1 to xk)
A path from x to y is called a circuit if:no element occurs more than once in it and (y, x) 2 F
(since for any x we have (x, x) 62 F , hence a circuit involves at least two nodes)
s
Connectedness
46
A net (P,T,F) is weakly connected iff it does not fall into (two or more) unconnected parts
(i.e. no two subnets (P1,T1,F1) and (P2,T2,F2) with disjoint and non-empty sets of elements can be
found that partition (P,T,F))
A weakly connected net is strongly connected iff for every arc (x,y) there is a path from y to x
Connectedness, formally
47
A net (P, T, F ) is weakly connected if every two nodes x, y satisfy
(x, y) � (F ⇥ F�1)⇥
(i.e. if there is an undirected path from x to y)
It is strongly connected if (x, y) � F ⇥
(here the * denotes the reflexive and transitive closure of a binary relation)
(here the * denotes the reflexive and transitive closure of a binary relation)
A note
48
In the following we will consider (implicitly) weakly connected nets only
(if they are not, then we can study each of their subsystems separately)
S-systems / S-nets
49
A Petri net is called S-system if every transition has one input place and one output place
(S comes from Stellen, the German word for place)
This way any synchronization is ruled out
The theory of S-systems is very simple
T-systems / T-nets
50
A Petri net is called T-system if every place has one input transition and one output transition
This way all choices/conflicts are ruled out
T-systems have been studied extensively since the early Seventies
Interference of conflicts and synch
51
!"#"$ %&''()*+,)'$ -'.&,$/'.0$ 1$
!"#$ %&''()*+,)'$ -'.&,$ /'.0$
-'.&,$ /'.0$*23'$2$42&5'$'67&'00,3'$7+8'&9$8*,)*$:2;'0$.*':$0<,.2=4'$.+$:+>'4$ 2$&,)*$
32&,'.?$ +@$>?/2:,)$ 0?0.':0"$ A0$ 2$)+/0'B<'/)'9$ .*'$ 2/24?0,0$ 245+&,.*:0$ @+&$ 2&=,.&2&?$
-'.&,$ /'.0$ 2&'$ =+</>$ .+$ *23'$ 2$ *,5*$ )+:74'6,.?$ C8*'/$ .*'?$ '6,0.D9$ 2/>$ ,.$ ,0$ /+.$
7+00,=4'$ .+$ >'3'4+7$ 2$)+:7&'*'/0,3'$ .*'+&?$ .*2.$ &'42.'0$ .*'$ 0.&<).<&'$ +@$ 2$-'.&,$ /'.$
.+$ ,.0$ ='*23,+<&"#$ E*'0'$ +=0.2)4'0$ )2/$ ='$ &':+3'>$ ,@$ 8'$ &'0.&,).$ +<&$ 2..'/.,+/$ .+$
)4200'0$+@$ -'.&,$ /'.0$ ,/$8*,)*$ ($ =?$:'2/0$+@$ )+/0.&2,/.0$ +/$ .*'$5&27*,)24$ 0.&<).<&'$ +@$
.*'$/'.$($ )'&.2,/$='*23,+<&$ ,0$&<4'>$+<."$ F/$G*27.'&$H$.8+$+@$.*'0'$)4200'0$2&'$0.<>,'>9$
)244'>$ I(0?0.':0$ 2/>$ E(0?0.':0"$ F/$ I(0?0.':09$ '3'&?$ .&2/0,.,+/$ *20$+/'$ ,/7<.$ 742)'$
2/>$+/'$+<.7<.$742)'9$2/>$.*'&'@+&'$0?/)*&+/,J2.,+/0$ 2&'$&<4'>$+<."$ K+.*$.*'$ 0.+&25'$
</,.$ 2/>$ .*'$ )+/.&+4$ </,.$ +@$ .*'$ 3'/>,/5$ :2)*,/'$ 2&'$ '62:74'0$ +@$ I(0?0.':0H"$ F/$
E(0?0.':09$ '3'&?$ 742)'$*20$+/'$ ,/7<.$ .&2/0,.,+/$ 2/>$ +/'$+<.7<.$ .&2/0,.,+/L$ )+/@4,).0$
2&'$ &<4'>$ +<."M$ E*'$ -'.&,$ /'.$ +=.2,/'>$ @&+:$ .*'$ 3'/>,/5$ :2)*,/'$ =?$ &':+3,/5$ .*'$
.&2/0,.,+/$ & ' N ' ) .$ )+ ,/$ 2/>$ ,.0$ 2>N2)'/.$ 2&)0$ ,0$2$ E(0?0.':"$
E*'$ .*'+&?$ +@$ I(0?0.':0$ ,0$3'&?$ 0,:74'"$ E(0?0.':0$ *23'$=''/$0.<>,'>$ 0,/)'$.*'$ '2&4?$
0'3'/.,'09$ 2/>$ 2&'$ .+>2?$ 3'&?$ 8'44$ </>'&0.++>"$ E*'0'$ .8+$ )4200'0$ 2&'$ 8'44$ 8,.*,/$
.*'$2/24?J2=,4,.?$ =+&>'&"$ E+$ 5'.$ )4+0'&$.+$ .*'$=+&>'&9$8'$244+8$=+.*$ 0?/)*&+/,J2.,+/$
2/>$ )+/@4,).9$ =<.$ ,/$ 0<)*$ 2$ 82?$ .*2.$ .*'?$ >+$ /+.$ O,/.'&@'&'O"$ A$ .?7,)24$ 0,.<2.,+/$
+@$ ,/.'&@'&'/)'$ ='.8''/$ 0?/)*&+/,J2.,+/$ 2/>$ )+/@4,).$ ,0$ 0*+8/$ ,/$ .*'$ -'.&,$ /'.$ +@$
%,5<&'$ !"1"$
%,1"$ !"1$ A$ -'.&,$ /'.$ ,/$8*,)*$ )+/@4,).0$ 2/>$0?/)*&+/,J2.,+/0$ ,/.'&@'&'$
E&2/0,.,+/0! "#$ 2/>! "$$ 2&'$ /+.$ ,/$ )+/@4,).9$ =')2<0'! "%$ )2//+.$ +))<&9$ =<.$ 8,44$ ='$ ,/$
)+/@4,).$ ,@$ 23$ +))<&0$ ='@+&'! "#&$ P+<5*4?$ 07'2;,/59$ ><'$ .+$ .*'$ 0?/)*&+/,J2.,+/$ 2.! "%'!
!"#$%$& $'()*& #(+#& ,-.$%& /-01,$'(*2& 3-456)& 756& $8$5& 456$/(673(,(*2& %$)4,*)& /-5/$%5(5+& 757,2)()&
7,+-%(*#0)& 9-%& 7%3(*%7%2& :$*%(& 5$*);&< "#$& %$7)-5& -9& *#$& 570$& =>?)2)*$0)=& ()& *#7*& 1,7/$)& 1,72& (5& *#$0& 7& 0-%$& (01-%*75*& %-,$& *#75&
*%75)(*(-5)@& 756& 1,7/$)& 7%$& /7,,$6! (")**)+& (5& A$%075& ?& *#$& ,75+47+$& (5& .#(/#& :$*%(& 5$*)& .$%$&
-%(+(57,,2& 6$9(5$6;&B "#$& /-58$%)$& 6-$)& 5-*& #-,6@& )$$& C'$%/()$$ !;B;&
.4$ ,!
Typical situation:
initially t1 and t2 are not in conflict
but when t3 fires they are in conflict (the firing of t3 is not controllable)
How to rule this situation out?
Free-choice nets
52
The aim is to avoid that a choice between transitions is influenced by the rest of the system
Easiest way: keep places with more than one output transition apart
from transitions with more than one input place
In other words, if (p,t) is an arc, then it means that t is the only output transition of p (no conflict)
OR p is the only input place of t (no synch)
Free-choice systems / nets
53
But we can study a slightly more general class of nets by requiring a weaker constraint
A Petri net is free-choice if whenever there is an arc (p,t), then there is an arc
from any input place of t to any output transition of p
Question time
54
Is the net an S-net, a T-net, free-choice?
top related